Patch Management Policy

Scope

The Policy applies to all Employees who create, deploy, or support Information Asset components.

Information Asset Patch Management

Servers

• Production servers must have up-to-date security patches, hotfixes, and service packs installed to protect them from known vulnerabilities.

• Normal Implementation Cycle (30 days). The normal implementation cycle is 30 days after release. Patches must be reviewed and approved prior to implementation to ensure that the Information Asset will continue to function as designed and this approval process may extend the patch period to 90 days.

• Emergency Implementation (attempted within 24 hours). Patches must be reviewed and approved before being implemented to ensure that the patches function as expected.

Workstations

• Workstations must have automatic updates enabled for operating system patches.

• Normal Implementation (30 days). Patches must be reviewed after each Windows Patch Tuesday (2nd Tuesday of every month) and approved before being implemented to ensure that the patches function as expected. Patches may be tested in pilot groups for 2 weeks; after the 2 week testing period, deployment to all Corporate Group images and Workstations.

• Emergency Implementation (attempted within 24 hours). Patches must be reviewed and approved before being implemented to ensure that the patches function as designed. Patches are tested in pilot groups; after testing is completed, deployment to all Corporate Group images is done in phases.

Network Devices

• Production network devices must have up-to-date security patches, hot-fixes, and service packs installed to protect them from known vulnerabilities

• Normal Implementation Cycle (30 days). The normal implementation cycle is 30 days after release. However, some vendors require patches to be reviewed and approved prior to implementation to ensure that the application will continue to function as designed and this approval process may extend the patch period to 90 days

• Emergency Implementation (attempted within 24 hours). Patches are reviewed and approved before being implemented to ensure that the patches function as expected.

Applications

• Production applications must have up-to-date security patches installed to protect them from known vulnerabilities.

• Normal Implementation Cycle (30 days). Patches must be reviewed and approved prior to implementation to ensure that the patches function as expected.

• Emergency Implementation (attempted within 24 hours). Patches must be reviewed and approved prior to implementation to ensure that the patches function as expected.

Patching exceptions

• Patches on some Information Assets (e.g., servers and applications) may require complex testing and installation procedures. In certain cases, risk mitigation rather than patching may be preferable.

• The risk mitigation alternative selected should be determined through an outage risk to exposure comparison.

• The reason for any departure from the above standard and alternative protection measures taken shall be documented.

• Deviations from normal patch schedules shall require Information Security Team authorization.

Patching Procedures

• Automatic tools to identify missing patches in Information Asset must be used.

• Automatic missing patch discovery must be managed according to Vulnerability Management Process.

• Patches must be tested and implemented according to Change Management Policy.

Review and Update

This Policy must be maintained in accordance with the Information Security Policy.

Revision History